February 24, 2012

Well, well, well... It's that time of the year again: RSA Conference, the infosec class reunion!

As with my ongoing #TSASongs lampooning of the TSA, I like to drip, drip, drip or death-by-comedy my fellow tweeple with some infosec snark, for the weeks before the RSA Conference, when the vendor-PR spin machines start roaring past oughtta-be-illegal decibels. I use the main conference hashtag #RSAC to sneak in a few sarcastic, overwrought fake vendor pitches, replete with the latest and greatest buzzwords used (and abused) by infosec vendors, analysts and press.

Self-employed consultants like myself can do no wrong, of course, so I don't include that essential category in this ribbing ;-)

This is in many ways poking fun at what's going on in the infosec industry on any given day, not just at RSA Conference. When the tough economy meets daily train wreck headlines of massive breaches... the vendor who shouts the loudest and scariest often gets the most leads: http://t.co/SZDxchFO

Monty Python really gets it!

Note I didn't say the best quality leads, just the most leads...

Below please find a few of the better #RSAC tweets I dropped into the conference buzz machine.

February 22, 2012

Since late 2009, I've been on a roadshow called Security Domination via Hard Drive Isolation, discussing the emerging Desktop-on-a-stick, PC-in-your-pocket and other USB-based mobility and security approaches. The niche emerged before the iThings craze really came to a full roar and is still today actively pursued as a valid approach for many use cases, including secure telework and remote access, disaster recovery and more.

There are several players in the USB hardware space that claim high-security encryption, some with a FIPS 140-2 level 3 validation from NIST. I would generally trust these USB sticks to carry files around, as a sort of secure briefcase, from one trusted machine to another, or as a backup media that's pre-encrypted.

Once the vendors in question start making claims that move past the secure briefcase use case, I start getting a bit concerned as to the nature of security they can provide.

There are two schools of thought in this niche: Bootable (boot to a clean OS) vs. Bubble. The bubble variety (by far the most common) is inherently less secure than the bootable for defeating software malware, since the bubble relies on various mechanisms that claim to defeat malware on the spinning disk of the host OS on the host machine (usually Windows). In my mind, this is a losing proposition, considering the sophistication of the malware we're seeing out there and the pace of evolution that the 'authors' have demonstrated.

While I've always been in awe of some of the mil-spec sticks' resistance to physical destruction, there are some claims that they make regarding the security of their extended product lines that I've challenged in the Security Domination talk. I specifically called out the issue of untrusted host OS keystroke-logging and screenshot-grabbing (yes, that's a term..) as a problem in the bubble space. Furthermore, I called out the inevitable destruction of the claim that the virtual (on-screen) keyboard was a solution to the problem.

Turns out that sick, er, great minds think alike! I just found this youtube video from April 2010 that challenges the virtual keyboard security claims via a demonstration of keystroke logging of USB key unlock passwords, including input from the virtual (on-screen) keyboard.

Here you go, virtual keyboard security is not as secure as we'd like it to be.

This type of malware is (to be uncharacteristically mild) problematic for the high-security USB vendors who claim to solve several malware-related security problems without booting to a clean OS.

Not to put too fine a point on it, please understand this: If you're inserting a USB key into a USB port on an untrusted machine and you're not booting into a clean alternative OS, but rather piggybacking onto the untrusted, pre-pwned OS on the host machine... well then, you're putting the unlock password (and any other work you perform from the USB key's virtual OS) at risk from software keystroke loggers and screenshot grabbers, etc.

PS Hardware keystroke loggers are a related but different issue and are not in the scope of this discussion.